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Introduction 


The aim of this course is to present an advanced primer for design for operator experience in complex techno- 
logical systems. The course derives from the field of study known as Human Factors. Specifically, it derives from a 
sub-field known as Cognitive Systems Engineering, Cognitive Engineering or Cognitive Human Factors. The goal of 
this subfield is to support humans in cognitive tasks and capabilities while interacting with technological systems. 
Within this sub-field there is an important direction towards appropriate interaction design for humans, such as 
operators, in complex technological systems. Oftentimes, the design for operator experience is also categorized 
under the label of Human Machine Interaction (HMI) design; however, HMI is more appropriately a part of the 
broader discipline of Human Factors (Cognitive Human Factors/ Cognitive Systems Engineering).One particular 
thread of research in this area was specifically devoted to the design for operators in safety-critical sectors, such 
as nuclear. Later the frameworks and ideas were extended to broader sectors to include oil and gas, defence and 
aviation, among others. This approach to design has been developed significantly by a number of researchers in 
human factors in the last few decades. In this tutorial, design of interfaces in complex technological systems will 
be outlined briefly deriving from a few major texts and papers in this area that have been listed in the bibliography 
for further reading. Thus, this advanced primer serves as an invitation to explore the field of interaction design for 
complex systems. 


In order to design for operator experience in complex systems, certain design processes and frameworks have been 
developed by human factors researchers, practitioners and designers working in the area of complex systems. 

The tutorial begins with Section 1 presenting a case study of poorly designed interfaces in healthcare that actu- 
ally caused deaths. This section also presents a cautionary note on the need to design proper interfaces for engi- 
neered systems and sets the basis of the rest of the primer. The tutorial continues with listing out the challenges of 
interaction design in complex systems in section 2. It then provides a brief historical outline of human factors, and 
interfaces in complex systems in Section 3. In section 4, the steps for the design of interfaces have been outlined. 
The tutorial concludes with a bibliography that is the basis of the ideas, processes and methodologies expressed in 
the tutorial. It also serves for pointing the way forward for readers who wish to explore this area in greater detail. 


Learning Objectives 


By the end of this primer, you will be able to, 
a) Recognize the challenges involved in designing for operator experience in complex technological systems. 


b) Identify the need for a structured design process to support humans in the operation of complex technological 
systems. 


c) Use the design concepts and processes for designing for operator experience in complex technological systems. 
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Poorly Designed Interfaces Kill People 


Poor interface design can kill people! In this section, we introduce a case study of Therac-25 which highlights 
such a scenario. Therac-25 was a computerized radiation therapy machine, devised by Atomic Energy of Canada 
Limited (AECL), with one of the most dangerous human interface design and software related accidents. In this 
discussion of the case study, we will focus on the interface problems. The material discussed here has been gath- 
ered from three main sources described in the further readings section: Casey (1993); Leveson and Turner (1993) 
and Leveson (2017). The ones reading the primer are requested to consider these three documents for detailed 
understanding of all aspects of the accidents in Therac-25 case. 


AECL and CGR, a French company collaborated to build medical linear accelerators that accelerate electron 
beams that could destroy tumours with minimal impact on the surrounding healthy tissues. Although AECL 
developed a radically new “double-pass” concept of electron acceleration in the 1970’s, AECL and CGR’s business 
relationship faltered. AECL started to build its own radiotherapy machine with their newly developed concept. 
This new technology was beneficial as it reduced the amount of space and energy required. Therac-25 was built 
on this new concept. 


Therac-25 was a dual-mode linear accelerator that could deliver photons at 25 MeV or electrons at various energy 
levels. Therac-25 is more compact, more versatile and easier to use. The machine took advantage of the “depth 
dose” phenomenon allowing it precise localized aim at malignant tissue. The machine was designed to take ad- 
vantage of the computer control from the outset and not be a stand-alone machine. It relied more on the soft- 
ware for the functions, and the computer's ability to control and monitor the hardware safety mechanisms and 
interlocks. 


Although the machine was based and inspired from machines that had a history of clinical use but its past was 
without computer control. It also contained the industry-standard hardware safety features and interlocks which 
were manually controlled instead of letting the computer take over the control. With change in technology and 
growth of computers, the team behind Therac-25 put more faith on the software than on hardware reliability. 
The first hardwired prototype was produced in 1976 and a completely operational computerised commercial ver- 
sion was made available in late 1982. In March of 1983, a safety analysis was performed by the AECL in the form of 
a fault tree but apparently excluded the ones related to software and human interaction. 


Operator Interface: 

Therac-25 was operated through a DEC VT100 terminal. The operator would position the patient on the treat- 
ment table, and manually set the treatment field size, and gantry rotation, among other requirements. The oper- 
ator then had to enter the patient identification, treatment prescription-mode, energy level, dose, dose rate and 
time, field sizing, gantry rotation and accessory data through the VT100 console. 
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The system would then compare the manually set values with those entered into the console, and if it did match, 
a “verified” message would display permitting the system to treat. If it did not match, treatment would not pro- 
ceed until corrected. These steps took a long time. Not surprisingly, the operators grumbled about this initially. 
Therefore, to accommodate this issue, the manufacturer made a provision by which instead of re-entering the 
data at the keyboard, a quick series of carriage returns was used to merely copy the treatment site data. This 
interface modification came into sharp relief in several of the accidents. 


During operation, in case of an error, the machine was designed to shut down in two ways - first, a treatment 
suspend which required the system to be reset in order for it to restart; second, a treatment pause which re- 
quired a single-key command to restart. The treatment pause could be resumed with the “P” key to proceed with 
the treatment. This feature could be invoked a maximum of five times, after which the machine would automati- 
cally stop the treatment and the operator had to reset the system. 


The messages related to any error in the system were quite cryptic. For example, the word “malfunction” fol- 
lowed by a number: “Malfunction 54”. In many of such cases, the operator could not refer to the manual as such 
scenarios were either not properly documented or provided no explanation. The operator did not have any 
knowledge about the fact that the malfunction messages were placing the patients under possibilities of harm. 
Further, Therac-25 did not have any in-built safety system that could prevent over-dosage caused by incorrect 
parameters being entered or intermixed. 


In many cases, the operators explained that they had become immune to the error messages because they did 
not think that these were hampering patients’ safety. In most cases, when the malfunctions occurred, either the 
service technicians or the hospital physicist would make the Therac-25 operable again. 


Messages regarding low dose rate, V-tilt, H-tilt and many other issues, were quite normal during operation. 
Further, when the operators were instructed about the capabilities of the machine, they were given to under- 
stand that the machine had “many safety mechanisms” that would make it “virtually impossible” to overdose the 
patients. In their minds, the operators were convinced about the safety of the system. 
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PATIENT MAME : TEST 
TREATMENT MODE : FIX BEAM TYPE: X ENERGY (Kev): 


PRESCRIBED 


UNIT RATE/MINLTE 
MONITOR UNITS 
TIME (MIN) 


GANTRY ROTATION (DES) ] VERIFIED 
COLLIMATOR ROTATION (DEG) VERIFIED 
GOLLIMATOR x (CM) VERIFIED 
SOLLIMATOR 4 (ha) : VERIFIED 
WEDGE NUMBER VERIFIED 
AGCGESSORY NUMBER VERIFIED 


DATE : 84-OCT-26 SYSTEM: BEAM READY MICE: T AUTO 
TIME ; 12:35. 6 TREAT ; TREAT PAUSE ' VFatit 
OPR ID: T23VO2-RO3 REASON: OPERATOR : 


Operator Interface of Therac-25. Recreated from Leveson and Turner (1993). 


Therac-25 Accidents: 

AECL had eleven Therac-25 installed machines - five in US and six in Canada. There were a total of six reported 
accidents between 1985-87. Due to the accidents, the machine was recalled in 1987 for extensive design chang- 
es—hardware and software. We list, below, in a chronological manner the accidents that resulted in deaths and 
considerable injuries due to Therac-25. Amongst these, one accident (East Texas Cancer Centre, March 1986) has 
been developed in some detail to understand the functioning of the interface and its role in the accident. 
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Yakima Valley Memorial He 
Yakima, Washington - De 


Map of accident sites of Thearc-25 between 1985-1987. 
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a. Kennestone Regional Oncology Centre, 1985: A 61 year old woman had undergone lumpectomy to remove a 
malignant breast tumour and was receiving follow-up radiation therapy to nearby lymph nodes. Due to Therac-25 
malfunctions, the patient’s breasts had to be removed because of the radiation burns and she lost the use of her 
shoulder and arm. The manufacturer and operators refused to believe that an accident of this magnitude could 
be caused by the machine! 


b. Ontario Cancer Foundation, 1985: On July 26th, 1985, a 40 year old patient who was being treated for carci- 
noma of the cervix treatment but the machine shut down after only five minutes of activation with an “H-tilt” 
error message. The display at the time read “no dose” but indicated a “treatment pause”. Due to poorly designed 
messages, interface problems as well as general technical problems of Therac-25, the AECL technicians estimated 
that the patient had received a very heavy radiation exposure (about 13,000 to 17,000 rads). 


c. Yakima Valley Memorial Hospital, 1985: On December 1985, a woman who had come in for treatment with 
Therac-25 resulted in erythema, a condition of excessive reddening of the skin in parallel stripes on her right hip. 
She continued her Therac-25 based treatment because the cause of the reaction on her skin was not determined. 
Much later, when Therac-25 issues were brought to light, it was discovered that the patient had suffered from 
chronic skin ulcer, tissue necrosis under the skin and had been in constant pain ever since. these symptoms were 
relieved when the tissues were surgically repaired and skin grafts were made. The patient survived but was faced 
with minor disabilities and some scars. 


d. East Texas Cancer Centre, March 1986: Therac-25 had been in use at the centre for two years without any ac- 
cidents. More than 500 patients had been treated until then with that machine. It is the only accident with much 
more details than the others due to the diligence of the hospital physicist, Fritz Hager, whose efforts helped in 
understanding the problems of the machine. 


Therac-25 unit 


Therac-25. Redrawn from Leveson and Turner (1993). 
Notice the control computer outside of the patient 
room. The operator had a view inside the treatment 
room through a TV camera and an intercom. The oper- 
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The operator, Mary Beth had worked for some time in 
the hospital and had quite a level of typing efficiency 


Cox was used to watching Mary Beth operate the with her experience. But she failed to notice that the 
hand-held control console that rotated the table and video monitor that would ideally give here the view to 
him to the proper position underneath the machine's the patient room was unplugged and also the inter- 
gantry. after this Mary Beth left the patient room and linking intercom was not in a functional state. How- 
went to the adjacent room where the control comput- —_— ever, since she had conducted this work before, she 


er was placed. proceeded with the session. 
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She entered the patients prescription data with great 
efficiency but then realised she had made a mistake in 
entering the wrong mode, x instead of e. That means 
that she had entered for the x-ray mode instead of 

the electron mode he was supposed to receive. She 
had been administering most x-ray treatments so was 
accustomed to the typing errors. It was an easy to fix 
mistake, just an up key that would edit the mode entry. 
After verifying all parameters and correcting the error 
within eight seconds she began the treatment process. 


A moment later the machine shut down displaying 
“Malfunction 54”, and the treatment paused indicat- 
ing a problem of low priority. The monitor showed 
Inside the shielded patient room of the machine, Cox no dose being fired, clicked in for a round two of the 
saw a flash of blue light and heard a sizzling sound treatment. The sheet on the side of the machine 
before he felt a shot of heat on his shoulder. showed the malfunction as a “dose input 2” error. 
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2. Poorly Designed Interfaces Kill People 


In the room, Cox tried to roll to his side only to feel a Mary Beth had no idea what the error code meant 
second shot to his neck while he screamed to stop. He leading to her hitting the proceed a third time. Outside 
felt his chest muscles constricted, squeezing the air on the treatment table when he was shot a third time, 


out of his lungs. he had better run out to get help. 
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Eventually, Mary Beth realized that there was some 
He ran out in fear of his life and writhing in pain, and problem in the treatment room, came out and was 
bumped into technicians walking down the hall. met with Cox at the Nurse’s Station. 
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CLINIC 


Cox went on to explain that he had received continued 


and painful shots of “electric shocks” while lying on the 


table. 


2 


_ = e+ 7 | 

Mary Beth responded by saying that nothing like that 
had ever occurred before and had no idea what might 
have caused it. The machine had malfunctioned and 
shut down automatically, showing that Ray had only 
received a tenth of his prescribed treatment! 
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1/10th 
Radiation 


Not much information was made available in the instruction manuals or other documents explaining the mal- 
function. Later on one of the AECL technicians explained “dose input 2” as a dose that had either been delivered 
too high or too low. The monitor showed a substantial under-dose of radiation - about 6 monitor units was deliv- 
ered while the operator requested 202 units. 


The physician observed that Ray Cox had an intense erythema over the treated area but it suspected nothing 
more serious than an electric shock. He was discharged with an instruction to return if he suffered any further 
reactions. The physicist found the machine calibration with specifications with no problems, so more patients 
were treated throughout the day on the same machine. 


In actuality, the patient, Ray Cox, had received a massive overdose of radiation concentrated to the center of the 
treated area, which was estimated a possible dose of 16,500 to 25,000 rads in less than 1 sec over an area of 1cm. 
The patient experienced continued pain in his neck and shoulder area, later lost the function of his left arm and 
had periodic bouts of nausea and vomiting too. He was later hospitalised for radiation induced myelitis of the 
cervical cord causing paralysis to his left arm and both legs, left vocal cord and left diaphragm. He finally died of 
complications from the overdose five months later. 
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The physicist and the operator spent a whole day of running tests on the machine but it did no help and he was 
not told of the other accident reports that had been made of overexposure. One of the engineers doing the 
investigation suggested that an electrical problem might have occurred. 


An independent engineering firm conducting their own investigation, in their final report, explained that no 
electrical grounding problem was detected in the machine and was not capable of giving an electrical shock. The 
machine, having found no problem during the investigation was put back into service on April 7th, 1986. 


e. East Texas Cancer Centre, April 1986: On April 11th, a male patient was scheduled to receive an electron treat- 
ment for skin cancer on the side of his face with a prescription was of 1OMeV to an area of 7x10 cm. It was almost 
similar to the previous occurrence of radiation overdose in the same year. The patient died three weeks later 

of overdose on May Ist, 1986. He suffered disorientation which progressed to coma with a fever of 104 degrees 
Fahrenheit, and neurological damage. An autopsy showed acutely high dose of radiation injury to the right tem- 
poral lobe of the brain and brain stem. 


f. Yakima Valley Memorial Hospital, 1987: On January 17th, the second patient of the day was scheduled to re- 
ceive two film-verification exposures of 3 and 4 rads electron + 79 rads photon treatment. Later after the acci- 
dent with Therac-25, AECL’s preliminary measurement of the dose delivered on the day when the turntable was in 
the field-light position was estimated to be 4000 to 5000 rads. Since two attempts were made, it was estimated 
that the patient had received an approximate of 8000 to 10000 rads instead of the 86 rads he was supposed to 
receive. 


Insights For Interface Design: 

Therac-25 served as a major lesson for human factors and interface design of safety-critical systems. The insights 
gathered have been generalizable to almost every industry that employs safety-critical devices. We present some 
interrelated learnings that are applicable to interface design. 


a) Need for proper requirements: Safety depends on the context or more specifically on the system it is used 

in and not on the software itself. In most if not all accidents involving the software resulted from flawed soft- 
ware requirements and not on its implementation. People misunderstand that software is safe, if it satisfies the 
requirement of the software. But most software-related accidents, oftentimes, do not involve coding or imple- 
mentation errors but requirement flaws. In order to reduce software-related accidents, proper safety-critical 
requirements are important for building safety into these machines. Safety can’t be ensured at the end; it has to 
be built in from the beginning. Therefore, we need good requirements right from the very beginning including 
ones for the human interface. 
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b) Inadequate investigation of incidents or follow-up on accident reports: Most of the time of such technologi- 
cal accidents the blame is put on the operators rather than acknowledging the technical and interface design er- 
rors. Blaming on the operators, leads to patching the symptoms but does no help in understanding the systemic 
causes of the loss. Unfortunately, the blame game finds operators as their primary target. Changing operators re- 
sults in fixes-that-fail. Thus, the accidents remains latent in the system regardless of the operator being changed. 
In these situations, in order to prevent future accidents, the role of the entire system needs to be addressed for 
understanding the accident. Thus, proper interface design and associated issues resulting in accidents should 
be recognized as a systemic concept in safety-critical system. Further, they should be properly investigated 
with appropriate models and frameworks. 


c) Safe versus “friendly” user interface, role of “human error”: In safety-critical systems, there is often a 
tension between safety and “ease of use”. Oftentimes, the sine qua non of interfaces is to make them simple 

and easy to use. However, in case of safety, we should ensure that actions through the interface that may lead 

to unsafe states (hazards) are relatively difficult as well as have proper checks and balances. There should also 

be provision for the operator to recover from slips and mistakes through the interface by providing appropriate 
recovery mechanisms. This will ensure that operators are not blamed for flawed interface design. In other words, 
we can design safety into the system. “Human error” in many cases maybe a misnomer. 


As the case-study demonstrates, our main challenge is to understand, how to design for the human in complex 
technological systems to which we turn next. 
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Interface Design for Complex Technological Systems 


In the last century, there was a growth of new technological sectors. These included rapid changes in areas such 
as nuclear, oil & gas, aviation, and chemicals, among others. All of these sectors involved not only the growth of 
the individual products but an interconnected systems of technologies along with people involved in the opera- 
tion and maintenance of these integrated technologies. These systems are often complex in nature an involve a 
lot of uncertainty in their operation. 


As these systems slowly developed, there was a rapid recognition that appropriate care has to be taken to ensure 
that these systems do not malfunction. Specifically, in safety-critical systems, malfunctions result in incidents, 
accidents, disasters and catastrophes. The hazards that these technologies, specifically nuclear and chemical, 
pose are not only limited to the limited to the immediate but lasts over subsequent generations. One can only 
think about places such as Chernoby] in erstwhile USSR or Bhopal in India where health implications of systemic 
disasters have been appalling. Therefore, a major challenge in these systems has been the need to ensure reliable 
operations. In order to ensure systemic operations, a crucial aspect of these technological systems has been the 
inclusion of the human as part of the overall system. 


HMI design in technological systems has been studied extensively in cognitive systems engineering, a sub-dis- 
cipline of Human Factors intersecting with Systems Engineering. For ease of understanding we will divide the 
involvement of the humans in technological systems in two categories. The first category deals with humans 
in-relation to other humans (groups, teams and organization, including health and occupational safety). 


The second category deals with humans in relations with the immediate technologies — human machine inter- 
action. This second category is the key idea that will be explored in this tutorial. Our main challenge is to design 
the human machine interface (HMI). It should be noted that the these complex technological sectors involve a 
heavy emphasis on the engineered dimension. This heavy technological focus imposes certain constraints on the 
activities of the users. In other words, the HMI design challenge is to design in such as manner so as to balance 
both the technology and the human together. This will ensure through the process of design that the operator is 
efficacious in any given situation while ensuring overall systems safety. Human factors researchers have, there- 
fore, emphasized the harmony between the humans and technologies by ensuring a “joint-optimization” of the 
two. 
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Role of human technology interaction in complex technological systems. Adapted from Kyriakidis, Kant, Amir and 
Dang, 2018. 
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In addition to the above, the design of HMI in technological systems should be human-centred; i.e. it should 
support the mental models of the operators involved in the operating the system while taking the technology 
into account. Towards this end, User-Centred Design (UCD), has been quite successful in promoting the need for 
involving the users right from the beginning of the planning and design process as well as throughout the systems 
life-cycle. While the need to ask users and get their feedback at all stages has been highly efficacious for design, 
there are certain limitations that UCD faces in highly complex technological systems. 


First, focussing on “users” as a category is not enough to design the HMI. This is because users and operators are 
different roles that humans take up in complex systems (Kant, 2017). Operation of systems will require mental 
models and activities of operators because it is differentiated from what users do in terms of interaction with the 
system. In other words, operators and users have different goals and in our case mindsets in the manner in which 
they interact with the system and the design process should be such so as to cater to the needs and requirements 
of the operators. Second, the operator’s mental models of the complex technologies need to be addressed more 
holistically such that both novice as well as expert operators are able to deal with unanticipated situations such 
as abnormal plant functioning. In moments of acute unanticipated disturbance, operators, being human, may not 
have all the vantage insights that need to be addressed for operation. 


In order to deal with unanticipated situations as well as having a holistic understanding of mental models for nov- 
ices and experts alike, we have to understand the underlying constraints of technology and represent it in ways 
that becomes efficacious for the operators. By identifying the constraints imposed by the technology, we will 

be able to identify human activities that fit in within those constraints without violating them. Stated in design 
terms, the technological basis has to be represented in terms of an experiential basis. In terms of HMI design, if 
we are able to represent the technological constraints in the HMI such that the operators are aware of it, then 
during abnormal conditions, they will be able to act such that the constraints are restored and the system returns 
back to its normal functioning. 


Therefore, our design challenges involves developing better representations, preferably, simple forms to depict 
the inherent complexity of the work domain, so that the operator’s mental models are supported. Based on a 
number of studies done in a variety of technological sectors, researchers from human factors have found this 
approach of representing constraints to be quite beneficial for HMI design. In the discipline of human factors, a 
number of conceptual and design theories, frameworks and methodologies have been developed. In this primer, 
we will focus on one approach called Ecological Interface Design (EID) that has been significantly successful in 
addressing the challenges of HMI design in complex technological systems. 


Note: It should be noted that the exposition of EID in this primer is at a broader level and is presented in an over- 
view format. A more detailed treatment of EID can be found in books listed in Bibliography and Further reading 
section. In addition, the insights presented here about EID should be taken together with other principles and 
strategies used by designers for developing interfaces. 
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Design for Operator Experience using EID 


Interface design in complex technological systems is a multi-disciplinary endeavour. In particular, the approach 
of EID derives from engineering design and psychology. The engineering design roots can be traced back to the 
researchers at Ris@ National laboratories in Denmark starting from the 1960s. The Ris@ laboratories were setup 
by the Nobel Laureate Niels Bohr for the peaceful use of nuclear energy. Currently, Ris@ Laboratories is a part of 
Technical University of Denmark and focuses on sustainable energy (DTU: https://www.dtu.dk/english/about/ 
campuses/dtu-risoe-campus). 


Since the 1960s, the electronic division of Ris@ was involved in ensuring technical reliability of electronic equip- 
ment related to nuclear research reactors. Over a period of time, the group started to recognize that ensuring 
technical reliability was not enough for the overall plant functioning. The human operator had to be taken 
together with the power plant to ensure overall plant functioning and reliability. In other words, the problem of 
technical reliability was reassessed as problem of human systems reliability. In the process of recognizing the role 
of the human, a necessary emphasis was placed on the design of displays. The key idea was that the human was 
system component and the technological system, the human’s environment. This is one of the most fundamental 
insights for understanding interaction design in complex technological systems. In addition, over a period of a 
few decades, human operators and their activities were studied and a variety of other insights were formulated 
about operator performance (for example, use of skills, rules and knowledge taxonomy of human performance 
for proper interface design). These insights as well as others led to the creation of several conceptual structures 
that designers could use for HMI design for complex technological systems. One such conceptual structure was 
the Abstraction Hierarchy (AH). This AH can be used by designers to elicit design requirements and form the 
basis in the design process (discussed in detail in the next section). 


In the wake of Three Mile Island Accident in 1979, researchers started to recognize that interface design was of 
crucial importance to support the operators’ diagnosis of the mal-productive changes in the powerplant. Ap- 
propriate information through the interface and subsequent actions through the interface would enable them 
to bring back the power plant to a normal state of functioning. During the decade of 1980s and beyond, there 
was a growth in a “human-centred” outlook for technological design. Towards the end of 1980s and early 1990s, 
the ideas from the Ris@ group, specifically the ones put forward by Jens Rasmussen, were coalesced in a series of 
publications providing the basis of HMI foundation for EID (example: Rasmussen, 1986; Rasmussen, Pjetersen and 
Goodstein, 1994). This work was built upon Jens Rasmussen's existing work in the past decades at Ris@. 
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Rise Laboratories, Denmark: 6 June 1958 
Niels Bohr’s vision of the peaceful use of nuclear energy 


mid-1980s: Focus on sustainable energy 


The EID approach was further developed by a number of researchers in the 1990s and beyond in areas such as 
HMI design for pasteurizers, petrochemicals, healthcare, military command and control, among many areas 
(Vicente, 2002;Vicente & Rasmussen, 1992). A more broader history of EID and Ris approach can be found ina 
number of articles and are provided in the Bibliography and Further Reading section. In the next section, we will 
take a step-by-step approach beginning from requirements gathering towards developing graphic forms for HMI. 
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The Design Process 


In the previous sections, we identified the challenges of interaction design in complex systems. Specifically, we 
noted the limitations of UCD for these systems as well as the need to understand the technology in experiential 
terms to support the mental models of operators. In this section, we will look into how we design interfaces for 
complex systems. Earlier, we had highlighted the need for a “joint optimization” of the human and technology. 
Therefore, one challenge is how to depict the constraints inherent in the technology so that the operators can 
act effectively on the system. HMI should ideally be designed in such a manner such that operators can act effec- 
tively on the system whenever required, in light of overall system safety. In order to achieve the design of an HMI, 
we will follow a few steps outlined below (we will only consider design in this tutorial and not evaluation, due to 
the intended scope). Further this section derives its steps from the following texts: Bennett & Flach (2011, 2013); 
Burns & Hajdukeiwicz (2004); Burns (2013). These texts are listed in the further reading section. 


Step a - Understanding work domain, activity and processes 

The first step of the HMI design process is to identify the boundaries of the problem under consideration. Iden- 
tifying boundaries will help in understanding the nature of the system, tasks that operators will perform as well 
as have an eventual effect on the HMI design. Identifying the problem boundary is an iterative process. Once the 
designers start understanding the nature of the system and the work domain under consideration in more gran- 
ular detail, they will be able to frame the problem boundaries for the particular system under consideration ina 
much more coherent manner. Typically, while framing the design problem, designers should not be including ex- 
isting interfaces and interface elements at the outset. This is because the goal of the design/redesign is actually 
to introduce a new interface. Typically, we would want to include technological entities that the operator has to 
interact with (monitor, supervise or control) in order to do their work. Along with identifying the problem bound- 
aries, a proper understanding of the operators’s activities, background capabilities and limitations is required. 
This can be achieved by field studies and information gathering methods such as interviews, observations, crit- 
ical incident analysis, study of error logs and work-shift records. Along with the operators, there is a need for an 
understanding of technology in experiential terms. We turn to this issue in the next step. 


Step b - Identifying design requirements and associated constraints 

Once the insights and data are acquired in Step 1, we will use Step 2 to identify the design requirements. this 
step is covered by qualitatively modelling the requirements using an analysis framework called Cognitive Work 
Analysis (CWA). The CWA consists of five steps. the first step called the Abstraction Hierarchy (AH) is used here 

to elicit design requirements. The AH, and the corresponding CWA, are a part of a broader framework that has 
been developed by Rasmussen and colleagues (Rasmussen, 1986; Rasmussen, Pjetersen and Goodstein, 1994). The 
framework addresses various dimensions ranging from the work domain activities and operators. 
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In this tutorial, we are focussing on the AH which represents the work domain in experiential terms for devel- 
oping the interface. Other steps are developed in greater detail by researchers such as Kim Vicente (1999) and 
will not be developed here in greater detail. We will be focussing on the first step that models the work domain 
under consideration. The modelling for eliciting out requirements for interface design can be achieved by this 
tool AH which is used for modelling the work domain qualitatively. 


The AH was developed to understand the work domain or the technical environment that served as the basis of 
human decision making for operators. The AH has its roots in everyday practice in high-risk systems for under- 
standing the mental models required by operators and maintainers in trouble-shooting technological equip- 
ment. Based on a few decades of research, Rasmussen identified a few generic categories of mental representa- 
tions that operators use in understanding technological equipment. These categories were grouped together 

to form the AH. They range from functional purpose from one end to physical form at the other. These mental 
representations had a basis in the physical and technological dimension or the operator about the system. There- 
fore, it served as a basis of a combined mental model of the system. In this subsection, we will develop the AH in 
further detail to show how we extract information requirements for design. 
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How do we support mental models of the operators and use it for the design of technology using a structured 
design process. 


In the AH, the figure shows a number of categories that are arranged in an ordered set. These categories can be 
understood as corresponding to different mental representations of the system that a person may use to under- 
stand the functioning of the system. These categories of representation connect the technical dimension of the 
system to the experiential basis of the operator. In order to demonstrate the various categories, we will use the 
example of an ink jet printer. Its complicated make-up will serve as an example to help us in understanding of the 
AH. 
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The first category involves functional purpose. In this level, the main issue is to capture the overall objectives of 
the system. The key ideas that are pertinent to this category are to capture generic descriptions that hold over 
the entire work domain under consideration. For example, the overall functional purpose of a printer is to print 
copies faster, use less ink and save money. 


The second level labelled as abstract function addresses basic principles , law-based understanding and relation- 
ships that exist throughout the system. At this level, the focus of understanding is in terms of abstract principles. 
For example, in the case of the printer, we will think about stoichiometric relations when we calculate how much 
black ink is required to print 500 words on an Aé4 size sheet of paper. Therefore, the level of abstract functions 
allows for representing one category of mental models that the operators may employ while trouble-shooting. 


The third level of generalized function represents the process involved in the technical functioning of the system. 
Oftentimes, in the process control systems, operators try to focus on the processes to gain an understanding of 
how the system is functioning. For example, in the printer, there are multiple physical processes relating to the 
paper moving through the printer as well as chemical processes related to the ink transfer on paper. 


At the fourth level, of physical functions, the various components, objects and sub-assemblies are presented 
along with their capabilities. At this level, the representation is at the level that tends towards physical substruc- 
tures and their associated functions. In our printer example, we will be considering components such as printer 
body, rollers, motors, among other entities and their associated functions. 


Finally, at the level of physical form, we take into account the physical dimensions and attributes of the work do- 
main or system under consideration. These include size, shape, color, appearance, location or general conditions 
of the various entities. In the printer example, we include many such attributes, such as dimensions of the ink 
bottles, paper thickness as well as other dimensions required for the representing the physical form dimensions 
of the work domain. 


In the AH, these five categories are presented together as a unified structure. The upper layers tell us about the 
“reasons” of correct functioning of the work domain; whereas, the lower layers tell us about how possible mal- 
functions can propagate upwards and throughout the system. Along with the structuring of the hierarchy, the 
various levels are also connected to the levels above and below each other through links that are knows as means 
ends links. These links give us an insight into how the various categories or levels are interconnected to each oth- 
er. If we focus on any one level, we answer the question “What?”. If we focus on the level above, we get an answer 
to the question “Why?” and when we focus on the level below, we get an answer to the question “how?”. This 
linkages of the “why-what-how” questions allows designers in structuring information and deciding on the prior- 
ities in the actual interface. This is discussed a bit later in this section. Up till now, we have described the abstrac- 
tion hierarchy and its ability to represent a technological system in experiential terms derived from categories of 
operators’ cognitive activity and decision making in a variety of situations. 
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Abstraction Hierarchy of a printer. Notice the why?-what?-how? links. 


25 


Technological 
System: 


Process Plant 


D’source 


Digital Learning Environment for Design - www.dsource.in 


Design Course 
Human Machine Interaction 
Design 


Introduction to Operator Interface/Experience 
(O1/OX) 

by 

Vivek Kant 

IDC, IIT Bombay 


Source: 
https://www.dsource.in/course/human- 
machine-interaction-design/design-process 


1. Introduction 

2. Poorly Designed Interfaces Kill People 
3. Interface Design for Complex...... 

4. Design for Operator Experience... 

5. The Design Process 

6. References and Further Reading 

7. Contact Details 


26 


Based on these categories, we will derive a list of information requirements. These information requirements tell 
us about the various aspects we need to consider in our design and are derived in the process of filling up the 
abstraction hierarchy. The AH help us to derive these requirements in the form of variables that we put in at var- 
ious levels of abstraction placed in the categories. From the abstraction hierarchy, these can be listed in terms of 
various categories to help the designer identify various requirements (see Figure below). These requirements will 
then be used in conjunction to develop graphic forms with the identified constraints and the means ends links in 
terms of the assigned priorities in the subsequent steps. 


| Functional Speed of delivery 
Cost (decrease 
money) | 
Reduce material 

| (save ink) 

| Abstract Conservation of 

| Function mass 


Conservation 


equations for ink 


Physical Form | Spin Speed 


Roller Size 


List of information requirements 


Along with the information variable, the next step that will help in the design of interfaces is the identification of 
the constraints of the system as reflected through the variables. In order to extract constraints, we ask questions 
about the limits and possible interconnections. For example, in the case of the printer, we may ask at the level of 
the functional purpose: How many copies? How quickly? We ask similar questions of the other levels. E.g. 

* Generalized function: maximum and minimum roller speed? 

¢ Physical Form: size of rollers?, etc. 
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Identifying the constraints at various levels of the AH provides us with very specific insights about what is 
permissible for individual variables as well as at the level of multiple variables. These constraints along with the 
identified information variable serves as the basis of graphic forms and interface elements. 


Step c - Identifying or developing graphic forms for displays 

After the information requirements are addressed, our next step is to address the graphical forms of displays. 
Currently, this issue has been addressed by a number of very good design books that that include generic princi- 
ples of information design and interface design elements. These generic design principles should be used judi- 
ciously with the principles of EID. Therefore, they will not be addressed here in greater detail and our focus will 
be on EID, in order to show how graphic forms could be developed to demonstrate the underlying constraints of 
the technological system that the operator can understand. 


When we want to develop a new graphic form based on the information requirements, we ask questions such as 
the following: whether we need to depict one variable or a multitude of such variables? How are the variables 
related? How will the operator view and understand these variables in context? Are there existing graphic forms 
that the operators rely upon to make sense of their work? 


In our design, we have to balance both the single variable constraints and the multi-variable constraints and de- 
pict them in the interface. For example, single variable constraints could be ink in one bottle. In this figure below, 
we are adding information that enriches the basic variables to demonstrate what can be achieved by manipula- 
tion of the variables. In other words, we are depicting the affordances of the variables that can be manipulated 
by the operator. In the figure, we have added a high cut-off for the deeper black color to be achieved; i.e., it shows 
that beyond this color, the color will be completely solid; whereas, below the lowest cut-off point the colour will 
be presented as faded. The two lines in the middle depict the current level of the ink in the cartridge. 


| Eee pecs t: Baacih | 


Graphic forms showing single-variate constraints on activity (points beyond which deepest to faded black is rep- 
resented. 
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wr] 


[High Quality} 


[Low Quality) 


Red Blue Green Black White 


Two graphic forms showing multi-variate constraints on activity of printing. the high quality (high quality preset) 
can be accommodated with a certain level of inks present; whereas, if the requisite amount of ink is not present 
then a lesser quality of print (low quality preset) could be obtained in the existing ink. 


Along with single variable constraint, let us now consider a multi-variate constraint. For example, if you were 
printing a picture with different colors and your ink was limited. Then, the interface should ideally, help you to 
identify the current state as well as opportunities for further action. The figure of multi-variables show that 
given the amount of ink for blues and green, it is clear that a high quality print-out cannot be achieved. However, 
a low quality print-out is possible. Thus, multiple variables can be involved in depicting a constraint of the system 
to provide proper information. 
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Step d - Assigning priorities and structuring the display 

In our final step, we establish clarity in the interface by structuring the various graphic forms. This structuring is 
helpful in providing the operator coherence and meaning. Designers’ use a number of principles (e.g. gestalt prin- 
ciples) to structure the interface elements and is often discussed in courses relating to 2D form and principles of 
information design. We will not go into those principles as they have been detailed in a number of design books 
and publications. 


Based on the scope of our advanced primer, here we will discuss a crucial contributor from the AH — means ends 
links. Earlier, we had discussed the means ends (why-what-how) links that gave a generic insight into the struc- 
turing of the AH. One manner in which means-ends links work is by ensuring salience. Since operators may wish 
to see the functional purpose at the highest levels and may not move to the lower levels, we could improve the 
salience of the graphic. For example, one information variable can be made more salient as compared to others 
to depict its position in the AH; i.e., the broader levels of the aim of the work domain is addressed at the level of 
functional purpose and should be depicted at a more global level or maybe at the top corner of the interface to 
make it more salient. 


Another strategy of improving design through the use of the means-ends links is to show the interconnections 
between variables that give information to the operator at any given point about “why-what-how’” of the sys- 
tem’s functioning through the interface. The individual graphic forms must be interconnected to each other in 
such a manner that it should be clear for the operator that the variables of the level of physical function are con- 
nected to the processes in the level of generalized function. The key idea at this stage is to depict various inter- 
face elements in such a manner that it provides coherence and clarity to the operator to support their reasoning 
during normal as well as abnormal functioning. 
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D’source 


Digital Learning Environment for Design - www.ds 


Design Course 
Human Machine Interaction 
Design 


Introduction to Operator Interface/Experience 
(O1/OX) 

by 

Vivek Kant 

IDC, IIT Bombay 


Source: 
https://www.dsource.in/course/human- 
machine-interaction-design/references-and- 
further-reading 


1. Introduction 

2. Poorly Designed Interfaces Kill People 
3. Interface Design for Complex...... 

4. Design for Operator Experience... 

5. The Design Process 

6. References and Further Reading 

7. Contact Details 


References and Further Reading 


Bibliography: 
a) Texts on EID 


* Burns, C. M. (2013). Ecological Interfaces. In J. D. Lee & A. Kirlik (Eds.), The Oxford Handbook of Cognitive Engi- 
neering. New York, N.Y.: Oxford University Press. 
http://doi.org/10.1093/oxfordhb/9780199757183.013.0039 


* Burns, C. M., & Hajdukiewicz, J. R. (2004). Ecological interface design. Boca Raton, FL: CRC Press. 


* Bennett, K. B., & Flach, J. (2011). Display and interface design : subtle science, exact art. Boca Raton, 
Fla.: CRC Press. 


¢ Bennett, K. B., & Flach, J. M. (2013). Configural and Pictorial Displays. In J. D. Lee & A. Kirlik (Eds.), 
The Oxford Handbook of Cognitive Engineering. Oxford University Press. 


* Bennett, K. B., & Flach, J. (2019). Ecological Interface Design: Thirty-Plus Years of Refinement, Progress, and Po- 
tential. Human factors, 61(4), 513-525. 


* Kant, V. & Sudakaran, J. (2021). Extending the Ecological Interface Design process—Integrated EID. Human Fac- 
tors and Ergonomics in Manufacturing & Service Industries. 10.1002/hfm.20933. 


¢ Kant, V., & Wahlstrom, M. (2019). Conceptual Intermediate Structures for Interaction Design in Complex Safe- 
ty-Critical Systems. In Research into Design for a Connected World (Vol. 134, pp. 189-199). 

Singapore: Springer, Singapore. 

http://doi.org/10.1007/978-981-13-5974-3 17 


* Kant, V. (2017). The sociotechnical constitution of cognitive work analysis: roles, affordances and malfunctions. 
Theoretical Issues in Ergonomics Science, 19(2), 195-212. 
http://doi.org/10.1080/1463922X.2017.1311384 


* Vicente, K. J. (2002). Ecological Interface Design: Progress and Challenges. Hum Factors, 44(1), 62-78. 
http://doi.org/10.1518/0018720024494829 


30 


D’source 


Digital Learning Environment for Design - www.d 


Design Course 
Human Machine Interaction 
Design 


Introduction to Operator Interface/Experience 
(O1/OX) 

by 

Vivek Kant 

IDC, IIT Bombay 


Source: 
https://www.dsource.in/course/human- 
machine-interaction-design/references-and- 
further-reading 


1. Introduction 

2. Poorly Designed Interfaces Kill People 
3. Interface Design for Complex...... 

4. Design for Operator Experience... 

5. The Design Process 

6. References and Further Reading 

7. Contact Details 


SI 


* Vicente, K. J., & Rasmussen, J. (1992). Ecological interface design: theoretical foundations. IEEE Transactions on 
Systems, Man, and Cybernetics, 22(4), 589-606. 
http://doi.org/10.1109/21.156574 


b) Texts on Cognitive Systems Engineering and Ris@ approach 


¢ Hollnagel, E., & Woods, D. D. (1983). Cognitive Systems Engineering: New wine in new bottles. International Jour- 
nal of Man-Machine Studies, 18(6), 583-600. 


* Hollnagel, E., & Woods, D. D. (2005). Joint cognitive systems: Foundations of cognitive systems engineering. CRC 
press. 


* Kant, V. 2016. The Human as a System Component in Nuclear Installations: Jens Rasmussen and High-Risk Sys- 
tems, 1961-1983. Technology's Stories. doi:10.15763/JOU.TS.2016.6.1.03. 
http://www.technologystories.org/the-human-as-a-system-component-in-nuclear-installations-jens-rasmussen- 
and-high-risk-systems-1961-1983/ 


* Kant, V. 2017. “Supporting the Human Life-raft in Confronting the Juggernaut of Technology: 
Jens Rasmussen, 1961-1986.” Applied Ergonomics 59: 570-580 


+ Le Coze, J. C. (2017). Reflecting on Jens Rasmussen’s legacy (2) behind and beyond, a ‘constructivist turn’. Applied 
Ergonomics, 59, 558-569. 


¢ Rasmussen, J. (1979). On the structure of knowledge - a morphology of metal models in a man-machine system 
context. Ris@ National Laboratory ER . 


¢ Rasmussen, J. (1986). Information processing and human-machine interaction : an approach to cognitive engi- 
neering. New York: North-Holland. 


¢ Rasmussen, J. (1983). Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human 
performance models. IEEE Transactions on Systems, Man, and Cybernetics, (3), 257-266. 


¢ Rasmussen, J., Goodstein, L. P., & Pejtersen, A. M. (1994). Cognitive systems engineering. 
New York: John Wiley & Sons. 


* Waterson, P., Le Coze, J. C., & Andersen, H. B. (2017). Recurring themes in the legacy of Jens Rasmussen. Applied 
Ergonomics, 59, 471-482. 


D’source 


Digital Learning Environment for Design - 


Design Course 
Human Machine Interaction 
Design 


Introduction to Operator Interface/Experience 
(O1/OX) 

by 

Vivek Kant 

IDC, IIT Bombay 


Source: 
https://www.dsource.in/course/human- 
machine-interaction-design/references-and- 
further-reading 


1. Introduction 

2. Poorly Designed Interfaces Kill People 
3. Interface Design for Complex...... 

4. Design for Operator Experience... 

5. The Design Process 

6. References and Further Reading 

7. Contact Details 


a2 


* Woods, D. D., & Hollnagel, E. (2006). Joint cognitive systems: Patterns in cognitive systems engineering. CRC 
Press. 


c) Texts on Therac-25 


+ Casey, S. (1998). Set phasers on stun: and other true tales of design, technology, and human error. 
Santa Barbara, Cal.: Aegean. 


* Leveson, N. G. (2017). The Therac-25: 30 Years Later. Computer, 50(11), 8-11. 


* Leveson, N. G., & Turner, C. S. (1993). An investigation of the Therac-25 accidents. Computer, 26(7), 18-41. 


D’source 


Digital Learning Environment for Design - w 


Design Course 

Human Machine Interaction 
Design 

Introduction to Operator Interface/Experience 
(O1/OX) 

by 

Vivek Kant 

IDC, IIT Bombay 


Source: 
https://www.dsource.in/course/human- 
machine-interaction-design/contact-details 


1. Introduction 

2. Poorly Designed Interfaces Kill People 
3. Interface Design for Complex...... 

4. Design for Operator Experience... 

5. The Design Process 

6. References and Further Reading 

7. Contact Details 


Contact Details 


This Course was created by Vivek Kant at IDC, IIT Bombay. 


You can get in touch with him at vkant[at]iitk.ac.in 
http://homepages.iitb.ac.in/~vivek.kant/ 


You can write to the following address regarding suggestions and clarifications: 


Helpdesk Details: 
Co-ordinator 

Project e-kalpa 
Industrial Design Centre 
IIT Bombay 

Powai 

Mumbai 4000 076 

India 


Phone: 091-22-2159 6805/ 091-22-2576 7802 
Email: dsource.in[at]gmail.com 


